ZyXEL Communications P-335WT Bedienungsanleitung PDF herunterladen

Universal Plug and Play: Dead simple or simply

deadly?

Armijn Hemel

April 7, 2006

1 Universal Plug and Play overview

Many devices and programs that exist today have support for the Universal Plug

and Play (UPnP) protocol. The UPnP protocol emerged from within Microsoft

in early 1999 to bring the plug and play concept as found on Windows desktop

machines to the local network. The idea behind UPnP is to enable a user to plug

a device into the local network and it will simply work, whether the device is a

printer, scanner, ﬁleserver or ﬁrewall. All conﬁguration is hidden for the user and

instead done automatically by the devices and programs themselves.

The ﬁrst implementations of UPnP were shipped halfway 2000, Windows ME and

Intel’s open source UPnP SDK for Linux being the ﬁrst. Windows XP also had

UPnP support built-in since its release in 2001. There are currently implementa-

tions for various operating systems, including Windows, VxWorks, Linux[1][2] and

FreeBSD[1][2]. The UPnP protocol stack uses well-deﬁned Internet standards, such

as HTTP, XML and SOAP.

One of the best known programs that uses UPnP is Microsoft’s MSN Messenger.

Ports that need to be opened on the ﬁrewall for voice and video traﬃc (the “web-

cam” feature) and direct ﬁle transfers in MSN Messenger are allocated dynamically

using UPnP. This is done by sending special UPnP commands to a UPnP enabled

ﬁrewall if the machine that runs MSN Messenger is behind a ﬁrewall or NAT de-

vice and cannot communicate with the other machine directly. These commands

instruct the ﬁrewall to forward ports on the ﬁrewall’s external interface to ports

that MSN Messenger uses on on the machine on the inside network.

Other programs that use UPnP to open up ports in ﬁrewalls are networked games.

Online gaming networks, like Microsoft’s X-Box Live, also heavily rely on UPnP.

Another use is Voice over IP (VoIP). The most frequently used open VoIP protocols

(H323, SIP) have a rather complex ﬂow of network packets with multiple packet

streams ﬂowing back and forth. For example, the SIP protocol stack uses a few

diﬀerent protocols during the duration of a phonecall. First a connection is set up

between two machines using SIP to negotiate various properties of the connection,

such as the codec which has to be used. If this negotiation is successful a new

connection is set up between the machines in both directions using RTP. The port for

the incoming traﬃc should be opened in the ﬁrewall, otherwise the communication

will be one-way, because RTP packets will simply be dropped

. With UPnP the

And even then it is not guaranteed to work. The RTP protocol encodes the IP address inside

the TCP payload. A normal NAT device will not rewrite the IP address inside the RTP packet.

To do this you will need a special proxy NAT device that knows how to rewrite RTP packets

properly.

1 2 3 4 5 6 ... 17 18

Inhaltsverzeichnis

Seite 1 - April 7, 2006

Universal Plug and Play: Dead simple or simplydeadly?Armijn HemelApril 7, 20061 Universal Plug and Play overviewMany devices and programs that exist t

Seite 2

WANwww.sane.nlev1l h4x0rAddPortMappingon port 22 towww.sane.nl:222222Telco/LAN RouterThe hack works as follows:• Let machine A ask the Speedtouch to

Seite 3 - 3 Design of UPnP

Internet Gateway Device speciﬁcation!), but for some reason these changes nevermade it upstream to Broadcom, or were never incorporated by Broadcom.Br

Seite 4 - 3.2 Protocol design

Because no devices implement it, it means that there is currently no ﬁne grainedsolution available that only allows for certain devices or application

Seite 5

7.2.3 Step 2: Description & step 3: ControlDisabling discovery and notiﬁcation will not take away the possibility to downloadthe description XML ﬁ

Seite 6

• Do not allow forwards to certain machines on the inside network (blacklisting).• Only allow forwards to certain machines on the inside network (whit

Seite 7 - 4 UPnP security attacks

The question that should be asked is how far we want to go with this type oftechnology. The core issue is what is more important, security or convenie

Seite 8 - 10.0.0.152

A.3 LinksysA.3.1 WRT54G and WRT54GSmodel ﬁrmware device NAT bugWRT54G v2.2 3.03.9 wireless gateway/router yesWRT54G v2.2 4.20.7 wireless gateway/route

Seite 9

bound=600while(i<bound):print "i: ", i,server._sa(soapaction).GetGenericPortMappingEntry(NewPortMappingIndex=i)i=i+1A.4 Alcatel/ThomsonA.

Seite 10 - Telco/LAN Router

the device was connected to a 10.0.0.0/8 network with its external interface itwas not possible to make forwards to other machines on that networks, b

Seite 11 - 5 Other UPnP hacks

incoming port on the ﬁrewall could be opened in advance, or opened once the SIPnegotiation has ended and before the RTP streams are set up. There are

Seite 12 - 7 Counter measures

the default Ethernet ADSL modem that was used by KPN in the Netherlandswas the Alcatel/Thomson Speedtouch 510, which enables UPnP by default. Inthe we

Seite 13 - 8 Fixing UPnP

to as “devices”. The role a machine has can be diﬀerent per context. For example,a machine that is normally a “control point” (for example a ﬁle serve

Seite 14 - 9 IETF Zeroconf

MAN: ssdp:discoverMX: 10ST: ssdp:allAll control points are required to respond to this message by sending back a similarmessage via UDP unicasting bac

Seite 15 - 11 Conclusion

<SCPDURL>/WANPPPConnection.xml</SCPDURL></service>For sending SOAP requests only controlURL is necessary. The eventSubURL is usedin

Seite 16 - A.3 Linksys

3.2.5 Step 4: EventingControl points keep state, which devices can read out. A device can register withthe control point to receive event messages whe

Seite 17 - A.6 ZyXEL

the ﬁrewall to other machines. Any host on the internal network can ask for anyportmapping it desires, so the machine on 10.0.0.152 could execute the

Seite 18 - References

From the context it is not entirely clear if “that client” should always be the request-ing device. It should be clear that this is a security bug and